Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember reading an editorial suggesting that to fix this, cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective. Having that abilityto essentially come into an organization and get it to think another wayI mean, that's the challenge that we all face. The biggest challenge I've had here is getting my employees to think like crooks, instead of like IT guys trying to stop crooks. If they can't think like crooks, they're never going to see the things that I need to know about.

Campbell: The bias is clear every year when we make the annual trek to the ASIS exhibit hall to find out what the technocrats have created for us. It's easy to see this is technology in search of an application, but as CSOs, we also have a responsibility. Are we truly engaged with the technology community in articulating what our needs are? I think the answer to that, quite frankly, is no. For example, issues around trade secrets are soft and don't necessarily have technology to address them. I've been looking for years for a technology like the smokeless, dust-free paper shredder, to make it easy and effective to destroy sensitive information. Because if [an executive has] to get up and walk down the hall to shred a documentthese guys who are too damn important to think about things like thatthey leave it for others to deal with, which is a security issue.

So I think technology is doing a hell of a job around what it has been built to do, but there's still an awful lot on the operational side of information protection where it hasn't been applied. Until now, we've let the CISOs have much more say in what the technocrats bring to market.

Spernow: You're inferring that we don't look at other solutions, and we're going to miss the big one that is actually going to work and that, instead, we're going to spend a lot of time looking at small ones that don't work. In a lot of cases, that is where we're at now. A lot of the controls we have here look good, sound good and they're portable, but they don't work. Because we don't take the user into account or the actual individual who is part of the threat.CSO: Let's get back to the CSO versus the CISO. Has there been a tacit promotion of CISOs in some organizations to take on some of the broader CSO roles, whether or not the anointed individuals are prepared?Spernow: I'll be honest with you, when I was involved in the analyst community, we were all writing papers that said, "You need to have a CISO as part of your staff because you need somebody to champion the budget for info security that we see coming down the pike. And if that budget is left to IT, it won't be spent well." So in some cases we've created this quagmire of putting a person in the position [whose credentials weren't] truly analyzed in depth. But it made sense at the time.